Vulnerability Description
IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensuse | Opensuse | 13.1 |
| Ipython | Ipython Notebook | 0.12 |
| Mageia | Mageia | 3.0 |
Related Weaknesses (CWE)
References
- http://advisories.mageia.org/MGASA-2014-0320.htmlThird Party Advisory
- http://lambdaops.com/cross-origin-websocket-hijacking-of-ipythonPress/Media CoverageTechnical Description
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.htmlThird Party Advisory
- http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198Broken Link
- http://seclists.org/oss-sec/2014/q3/152Third Party AdvisoryVDB Entry
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:160Broken Link
- https://bugzilla.redhat.com/show_bug.cgi?id=1119890Issue Tracking
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
- https://github.com/ipython/ipython/pull/4845Issue TrackingPatch
- http://advisories.mageia.org/MGASA-2014-0320.htmlThird Party Advisory
- http://lambdaops.com/cross-origin-websocket-hijacking-of-ipythonPress/Media CoverageTechnical Description
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.htmlThird Party Advisory
- http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198Broken Link
- http://seclists.org/oss-sec/2014/q3/152Third Party AdvisoryVDB Entry
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:160Broken Link
FAQ
What is CVE-2014-3429?
CVE-2014-3429 is a vulnerability with a CVSS score of 6.8 (MEDIUM). IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a ...
How severe is CVE-2014-3429?
CVE-2014-3429 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3429?
Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Opensuse, Ipython Ipython Notebook, Mageia Mageia.